frontpl 0.3.0 → 0.3.2

package/README.md

@@ -30,6 +30,7 @@ Follow the prompts to choose:
 - Optional tooling: `oxlint`, `oxfmt`, `vitest`, `tsdown`
 
 When `oxlint` is enabled, generated projects use `@kingsword/lint-config` via `oxlint.config.ts`.
+Generated lint-related dependencies (`oxlint`, `oxlint-tsgolint`, `oxfmt`, `@kingsword/lint-config`) default to `latest` in scaffolded `package.json`.
 
 - Git init
 - GitHub Actions workflows:
@@ -61,10 +62,11 @@ What it does:
 - Detects Node.js major version from `.nvmrc`, `.node-version`, or `package.json#engines.node` (defaults to `22`)
 - Generates `.github/workflows/ci.yml`
 - Optionally generates `.github/workflows/release.yml` (tag/commit/both)
+- Optionally generates `.github/dependabot.yml` with grouped updates (`dependencies`, `github-actions`)
 
 ## GitHub Actions (CI + Release)
 
-frontpl generates workflows that call reusable workflows from `kingsword09/workflows` (pinned to `@v1` by default):
+frontpl generates workflows that call reusable workflows from `kingsword09/workflows` (pinned to commit SHA + `# vX.Y.Z` comment by default):
 
 - CI: `cli-ci.yml`
 - Release (tag, recommended): `cli-release-tag.yml`
@@ -81,6 +83,15 @@ frontpl generates workflows that call reusable workflows from `kingsword09/workf
 - **Trusted publishing (OIDC)**: enable `trustedPublishing: true` (no `NPM_TOKEN` required). Your repo must be configured on npm as a trusted publisher for the calling workflow.
 - **NPM token**: set `trustedPublishing: false` and provide `NPM_TOKEN` in GitHub secrets.
 
+## Dependabot (optional)
+
+When CI workflows are enabled, frontpl can also generate `.github/dependabot.yml`:
+
+- Keeps `github-actions` updates enabled
+- Adds grouped dependencies updates (`groups.dependencies`)
+- Uses the selected `workingDirectory` (`.` -> `/`, monorepo package -> `/packages/<name>`)
+- Maps JavaScript package managers (`npm`/`pnpm`/`yarn`/`bun`) to Dependabot `package-ecosystem: "npm"`
+
 ## Development
 
 ```sh

package/dist/cli.mjs

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { n as runCi, t as runInit } from "./init-CQKT_mPD.mjs";
+import { n as runCi, t as runInit } from "./init-oJwslpqP.mjs";
 import bin from "tiny-bin";
 
 //#region src/cli.ts

package/dist/index.d.mts

@@ -41,6 +41,11 @@ declare function githubCliCiWorkflowTemplate(opts: {
   formatCheckCommand?: string;
   testCommand?: string;
   workflowsRef?: string;
+  workflowsVersion?: string;
+}): string;
+declare function githubDependabotTemplate(opts: {
+  packageManager: "npm" | "pnpm" | "yarn" | "bun" | "deno";
+  workingDirectory: string;
 }): string;
 //#endregion
-export { githubCliCiWorkflowTemplate, oxlintConfigTemplate, packageJsonTemplate, runCi, runInit };
+export { githubCliCiWorkflowTemplate, githubDependabotTemplate, oxlintConfigTemplate, packageJsonTemplate, runCi, runInit };

package/dist/index.mjs

@@ -1,3 +1,3 @@
-import { a as packageJsonTemplate, i as oxlintConfigTemplate, n as runCi, r as githubCliCiWorkflowTemplate, t as runInit } from "./init-CQKT_mPD.mjs";
+import { a as oxlintConfigTemplate, i as githubDependabotTemplate, n as runCi, o as packageJsonTemplate, r as githubCliCiWorkflowTemplate, t as runInit } from "./init-oJwslpqP.mjs";
 
-export { githubCliCiWorkflowTemplate, oxlintConfigTemplate, packageJsonTemplate, runCi, runInit };
+export { githubCliCiWorkflowTemplate, githubDependabotTemplate, oxlintConfigTemplate, packageJsonTemplate, runCi, runInit };

package/dist/{init-CQKT_mPD.mjs → init-oJwslpqP.mjs}

@@ -144,8 +144,18 @@ function packageJsonTemplate(opts) {
 		packageManager: opts.packageManager
 	}, null, 2) + "\n";
 }
+const DEFAULT_WORKFLOWS_REF = "7320d30bcd47cee17cc2d8d28250ba1ab1f742b8";
+const DEFAULT_WORKFLOWS_VERSION = "v1.0.3";
+function resolveWorkflowsPin(opts) {
+	const ref = opts.workflowsRef?.trim() || DEFAULT_WORKFLOWS_REF;
+	const version = opts.workflowsVersion?.trim() || (opts.workflowsRef ? void 0 : DEFAULT_WORKFLOWS_VERSION);
+	return {
+		ref,
+		versionComment: version ? ` # ${version}` : ""
+	};
+}
 function githubCliCiWorkflowTemplate(opts) {
-	const ref = opts.workflowsRef ?? "v1";
+	const { ref, versionComment } = resolveWorkflowsPin(opts);
 	const installCommand = opts.installCommand?.trim();
 	const lintCommand = opts.lintCommand?.trim();
 	const formatCheckCommand = opts.formatCheckCommand?.trim();
@@ -161,7 +171,7 @@ function githubCliCiWorkflowTemplate(opts) {
 		"",
 		"jobs:",
 		"  ci:",
-		`    uses: kingsword09/workflows/.github/workflows/cli-ci.yml@${ref}`,
+		`    uses: kingsword09/workflows/.github/workflows/cli-ci.yml@${ref}${versionComment}`,
 		"    with:",
 		`      packageManager: ${opts.packageManager}`,
 		`      nodeVersion: ${opts.nodeVersion}`,
@@ -177,7 +187,7 @@ function githubCliCiWorkflowTemplate(opts) {
 	].join("\n");
 }
 function githubCliReleaseWorkflowTemplate(opts) {
-	const ref = opts.workflowsRef ?? "v1";
+	const { ref, versionComment } = resolveWorkflowsPin(opts);
 	const trustedPublishing = opts.trustedPublishing;
 	const needsNpmToken = opts.packageManager !== "deno" && trustedPublishing === false;
 	return [
@@ -192,7 +202,7 @@ function githubCliReleaseWorkflowTemplate(opts) {
 		"    permissions:",
 		"      contents: write",
 		"      id-token: write",
-		`    uses: kingsword09/workflows/.github/workflows/cli-release.yml@${ref}`,
+		`    uses: kingsword09/workflows/.github/workflows/cli-release.yml@${ref}${versionComment}`,
 		"    with:",
 		`      packageManager: ${opts.packageManager}`,
 		`      nodeVersion: ${opts.nodeVersion}`,
@@ -203,7 +213,7 @@ function githubCliReleaseWorkflowTemplate(opts) {
 	].join("\n");
 }
 function githubCliReleaseTagWorkflowTemplate(opts) {
-	const ref = opts.workflowsRef ?? "v1";
+	const { ref, versionComment } = resolveWorkflowsPin(opts);
 	const trustedPublishing = opts.trustedPublishing;
 	const needsNpmToken = opts.packageManager !== "deno" && trustedPublishing === false;
 	return [
@@ -218,7 +228,7 @@ function githubCliReleaseTagWorkflowTemplate(opts) {
 		"    permissions:",
 		"      contents: write",
 		"      id-token: write",
-		`    uses: kingsword09/workflows/.github/workflows/cli-release-tag.yml@${ref}`,
+		`    uses: kingsword09/workflows/.github/workflows/cli-release-tag.yml@${ref}${versionComment}`,
 		"    with:",
 		`      packageManager: ${opts.packageManager}`,
 		`      nodeVersion: ${opts.nodeVersion}`,
@@ -229,7 +239,7 @@ function githubCliReleaseTagWorkflowTemplate(opts) {
 	].join("\n");
 }
 function githubCliReleaseBothWorkflowTemplate(opts) {
-	const ref = opts.workflowsRef ?? "v1";
+	const { ref, versionComment } = resolveWorkflowsPin(opts);
 	const trustedPublishing = opts.trustedPublishing;
 	const needsNpmToken = opts.packageManager !== "deno" && trustedPublishing === false;
 	return [
@@ -246,7 +256,7 @@ function githubCliReleaseBothWorkflowTemplate(opts) {
 		"    permissions:",
 		"      contents: write",
 		"      id-token: write",
-		`    uses: kingsword09/workflows/.github/workflows/cli-release-tag.yml@${ref}`,
+		`    uses: kingsword09/workflows/.github/workflows/cli-release-tag.yml@${ref}${versionComment}`,
 		"    with:",
 		`      packageManager: ${opts.packageManager}`,
 		`      nodeVersion: ${opts.nodeVersion}`,
@@ -259,7 +269,7 @@ function githubCliReleaseBothWorkflowTemplate(opts) {
 		"    permissions:",
 		"      contents: write",
 		"      id-token: write",
-		`    uses: kingsword09/workflows/.github/workflows/cli-release.yml@${ref}`,
+		`    uses: kingsword09/workflows/.github/workflows/cli-release.yml@${ref}${versionComment}`,
 		"    with:",
 		`      packageManager: ${opts.packageManager}`,
 		`      nodeVersion: ${opts.nodeVersion}`,
@@ -269,6 +279,56 @@ function githubCliReleaseBothWorkflowTemplate(opts) {
 		""
 	].join("\n");
 }
+function toDependabotDirectory(workingDirectory) {
+	const normalized = workingDirectory.trim();
+	if (!normalized || normalized === ".") return "/";
+	return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function resolveDependabotPackageEcosystem(packageManager) {
+	if (packageManager === "deno") return;
+	return "npm";
+}
+function githubDependabotTemplate(opts) {
+	const packageEcosystem = resolveDependabotPackageEcosystem(opts.packageManager);
+	const directory = toDependabotDirectory(opts.workingDirectory);
+	return [
+		"version: 2",
+		"updates:",
+		...packageEcosystem ? [
+			`  - package-ecosystem: "${packageEcosystem}"`,
+			`    directory: "${directory}"`,
+			"    schedule:",
+			"      interval: \"weekly\"",
+			"      day: \"monday\"",
+			"      time: \"03:00\"",
+			"      timezone: \"America/Los_Angeles\"",
+			"    open-pull-requests-limit: 10",
+			"    groups:",
+			"      dependencies:",
+			"        patterns:",
+			"          - \"*\"",
+			"    labels:",
+			"      - \"dependencies\"",
+			""
+		] : [],
+		"  - package-ecosystem: \"github-actions\"",
+		"    directory: \"/\"",
+		"    schedule:",
+		"      interval: \"weekly\"",
+		"      day: \"monday\"",
+		"      time: \"03:00\"",
+		"      timezone: \"America/Los_Angeles\"",
+		"    open-pull-requests-limit: 10",
+		"    groups:",
+		"      github-actions:",
+		"        patterns:",
+		"          - \"*\"",
+		"    labels:",
+		"      - \"dependencies\"",
+		"      - \"github-actions\"",
+		""
+	].join("\n");
+}
 function yamlString(value) {
 	return JSON.stringify(value);
 }
@@ -338,7 +398,7 @@ async function runCi() {
 		const nodeVersionText = await text({
 			message: "Node.js major version (for GitHub Actions)",
 			initialValue: String(nodeVersionDefault),
-			validate: (value) => {
+			validate: (value = "") => {
 				const major = Number.parseInt(value.trim(), 10);
 				if (!Number.isFinite(major) || major <= 0) return "Enter a valid major version (e.g. 22)";
 			}
@@ -375,8 +435,14 @@ async function runCi() {
 			initialValue: true
 		}) : void 0;
 		if (isCancel(trustedPublishing)) return abort();
+		const addDependabot = await pathExists(path.join(rootDir, ".git")) ? await confirm({
+			message: "Add/update Dependabot config (.github/dependabot.yml)?",
+			initialValue: true
+		}) : false;
+		if (isCancel(addDependabot)) return abort();
 		const ciWorkflowPath = path.join(rootDir, ".github/workflows/ci.yml");
 		const releaseWorkflowPath = path.join(rootDir, ".github/workflows/release.yml");
+		const dependabotPath = path.join(rootDir, ".github/dependabot.yml");
 		if (!await confirmOverwriteIfExists(ciWorkflowPath, ".github/workflows/ci.yml")) {
 			cancel("Skipped CI workflow");
 			process.exitCode = 0;
@@ -401,7 +467,13 @@ async function runCi() {
 				trustedPublishing
 			}));
 		}
-		outro(addRelease ? "Done. Generated CI + release workflows in .github/workflows/." : "Done. Generated CI workflow in .github/workflows/.");
+		if (addDependabot) {
+			if (await confirmOverwriteIfExists(dependabotPath, ".github/dependabot.yml")) await writeText(dependabotPath, githubDependabotTemplate({
+				packageManager,
+				workingDirectory
+			}));
+		}
+		outro(addRelease ? "Done. Generated CI + release workflows (and optional Dependabot)." : "Done. Generated CI workflow (and optional Dependabot).");
 	} catch (err) {
 		if (err instanceof CancelledError) return;
 		throw err;
@@ -532,7 +604,7 @@ async function promptCommand(message, initialValue) {
 	const value = await text({
 		message,
 		initialValue,
-		validate: (v) => !v.trim() ? "Command is required" : void 0
+		validate: (v = "") => !v.trim() ? "Command is required" : void 0
 	});
 	if (isCancel(value)) return abort();
 	return String(value).trim();
@@ -737,6 +809,11 @@ async function runInit({ nameArg }) {
 		]
 	}) : void 0;
 	if (isCancel(releaseMode)) return onCancel();
+	const addDependabot = initGit && githubActions !== "none" ? await confirm({
+		message: "Add Dependabot config (.github/dependabot.yml)?",
+		initialValue: true
+	}) : false;
+	if (isCancel(addDependabot)) return onCancel();
 	const trustedPublishing = githubActions === "ci+release" && packageManager !== "deno" ? await confirm({
 		message: "Release: npm trusted publishing (OIDC)?",
 		initialValue: true
@@ -780,7 +857,7 @@ async function runInit({ nameArg }) {
 			useOxlint,
 			oxlintVersion: "latest",
 			oxlintTsgolintVersion: "latest",
-			kingswordLintConfigVersion: "^0.1.1",
+			kingswordLintConfigVersion: "latest",
 			useOxfmt,
 			oxfmtVersion: "latest",
 			useVitest,
@@ -810,6 +887,10 @@ async function runInit({ nameArg }) {
 			formatCheckCommand,
 			testCommand
 		}));
+		if (addDependabot) await writeText(path.join(rootDir, ".github/dependabot.yml"), githubDependabotTemplate({
+			packageManager,
+			workingDirectory
+		}));
 	}
 	if (githubActions === "ci+release") {
 		const workingDirectory = pnpmWorkspace ? path.posix.join("packages", projectName) : ".";
@@ -832,7 +913,7 @@ async function runInit({ nameArg }) {
 	outro(`Done. Next:\n  cd ${projectName}${!canInstall ? `\n  (${packageManager} not found, run install manually)` : !installOk ? `\n  (${packageManager} install failed, run install manually)` : ""}\n  ${nextStepHint(packageManager)}`);
 }
 function validateProjectName(value) {
-	const name = value.trim();
+	const name = (value ?? "").trim();
 	if (!name) return "Project name is required";
 	if (name.length > 214) return "Project name is too long";
 	if (name.startsWith(".")) return "Project name cannot start with '.'";
@@ -855,4 +936,4 @@ function nextStepHint(pm) {
 }
 
 //#endregion
-export { packageJsonTemplate as a, oxlintConfigTemplate as i, runCi as n, githubCliCiWorkflowTemplate as r, runInit as t };
+export { oxlintConfigTemplate as a, githubDependabotTemplate as i, runCi as n, packageJsonTemplate as o, githubCliCiWorkflowTemplate as r, runInit as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frontpl",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "description": "Interactive CLI to scaffold standardized frontend project templates.",
   "keywords": [
     "cli",
@@ -49,15 +49,15 @@
     "prepublishOnly": "pnpm run build"
   },
   "dependencies": {
-    "@clack/prompts": "^0.11.0",
-    "tiny-bin": "^1.11.3"
+    "@clack/prompts": "^1.0.0",
+    "tiny-bin": "^2.0.0"
   },
   "devDependencies": {
     "@kingsword/lint-config": "^0.1.1",
     "@types/node": "^25.0.10",
-    "oxfmt": "^0.28.0",
-    "oxlint": "^1.43.0",
-    "oxlint-tsgolint": "^0.11.1",
+    "oxfmt": "^0.31.0",
+    "oxlint": "^1.46.0",
+    "oxlint-tsgolint": "^0.11.5",
     "tsdown": "^0.20.1",
     "typescript": "^5.9.3"
   },